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Abstract 



This paper studies privacy and secure function evaluation in com- 
munication complexity. The focus is on quantum versions of the model 
and on protocols with only approximate privacy against honest players. 
^ ' We show that the privacy loss (the minimum divulged information) in 

OO I computing a function can be decreased exponentially by using quantum 

' protocols, while the class of privately computable functions (i.e., those 

with privacy loss 0) is not enlarged by quantum protocols. Quantum 
communication combined with small information leakage on the other 
hand makes certain functions computable (almost) privately which are 
not computable using either quantum communication without leakage 
, or classical communication with leakage. We also give an example of an 

exponential reduction of the communication complexity of a function 
by allowing a privacy loss of o(l) instead of privacy loss 0. 

a , 

1 Introduction 

Mafiosi Al and Bob, both honest men, claim rights to protect a subset of the 
^ , citizens of their hometown. To find out about possible collisions of interest 

I they decide to communicate and find out whether there is a citizen they 

both intend to protect. Of course they would like to do this in a way that 
gives each other as little information as possible on the subset they think 
of. In other words, they want to compute a function with as much privacy 
as possible, rather than caring about the communication cost inclined. This 
problem is one of the kind studied in the theory of private computation 
resp. secure function evaluation, initiated by Yao [32] • Another example is 
the two millionaires' problem, in which Al and Bob try to determine who is 
richer, but without revealing more about their actual wealth. 
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Informally a protocol for the computation of some function on inputs 
distributed to several players is private, if all information that can be de- 
duced by one player during a run of the protocol can also be deduced from 
the player's input and the function value alone. A function is private, if it 
can be computed by a private protocol. Generalizing this a function is said 
to have privacy loss k, if the minimum information divulged to the other 
players is k in any protocol computing the function. In this definition we 
use an information theoretic measure for the privacy loss. Alternatively the 
information leakage of a protocol may be measured as a distance between 
message states that must be "almost indistinguishable" for a player. This 
setup generalizes several cryptographic scenarios, see |^ . 

There are some variants and twists to this model. One can distinguish 
computationally secure and information theoretically secure protocols. The 
first variant is studied e.g. in [22] and JH]- Multiparty protocols in the infor- 
mation theoretically secure setting are given in [7j and ^21 ■ A second kind of 
variations concerns the type of players. Basically "honest but curious" and 
"malicious" (or "byzantine" ) players have been considered in the literature. 
The first type of players sticks to the protocol but tries to get information by 
running some extra program on the messages received. The second type of 
players deviates arbitrarily from the protocol to get as much information as 
possible. Furthermore protocols may be deterministic, randomized, or use 
the possibilities offered by quantum communication. A quantum variant of 
(information-theoretically) secure multiparty computation with malicious 
players has been investigated recently in ^7j- ^ thorough study of secure 
quantum computation with honest players seems to be missing, especially 
in the two-player case. Lo has investigated the case of one-sided secure 
quantum computation [SHI, in which only one player learns the function 
value. Certain aspects of general two-party secure quantum computation 
are discussed in fI7\ . 

To compare the possible combinations of the above choices concerning 
the underlying model consider the following facts known in the non-quantum 
setting. The two millionaires' problem has a computational solution |321 re- 
lying on the existence of one-way functions, but it cannot be solved in the 
information theoretic sense [T^ (not even among honest players), i.e., some 
cryptographic hardness assumption has to be used. A variant of the million- 
aires' problem that can actually be solved with information theoretic privacy 
for honest players is the identified minimum problem, in which the wealth 
of the less rich player and his identity is revealed, but no additional infor- 
mation about the wealth of the other player • Secure function evaluation 
among two dishonest players without computational restrictions is usually 
impossible. Information-theoretically secure multiparty protocols (> 3 play- 
ers) with more than two thirds of all players being honest are possible for all 
functions [Zj , in the computationally secure setting it is possible to compute 
all functions when more than one half of all players are honest ^H] . 
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In this paper we concentrate on information theoretical security and hon- 
est players. While considering only honest players seems to strongly restrict 
the model, it is important for several reasons. First, understanding honest 
players is a prerequisite to understanding actively cheating players. Sec- 
ondly, these players capture "passive" attacks that cannot be detected in any 
way, which might be an important motivation for curious players to follow 
such a strategy. Furthermore gives a quite general reduction from mul- 
tiparty protocols with honest majority to protocols with only honest players 
(in the computationally secure setting). Other motivations for considering 
this model include close connections to complexity measures like circuit size 
j25j . Privacy loss may also be viewed as a complexity measure, having some 
useful connections to communication complexity exploited e.g. in lllj ||3|. 

We focus on the following aspects of private computing. Al and Bob have 
heard that quantum computers can break cryptographic schemes classically 
assumed to be secure, so they do not want to rely on computational solu- 
tions^. They are interested in whether quantum communication enlarges the 
set of privately computable functions or substantially decreases the privacy 
loss of functions. Furthermore they are interested in whether it is possible 
to decrease the communication cost of a protocol by allowing leakage of a 
small amount of information. We concentrate on the two player model in 
this paper, though some of the results have implications for the multiparty 
setting, which we mention in the conclusions. 

The functions we mainly consider in this paper are the disjointness prob- 
lem DISJn, in which Al and Bob each receive a subset of a size n universe, 
and have to decide whether their subsets are disjoint or not, and the identi- 
fied minimum problem IdMirin, in which Al and Bob receive numbers x,y 
from to 2" — 1, and the output is 2x + 1, if x < y, and 2y otherwise. 

The type of players we investigate are honest but curious. This means 
they stick to the protocol, but otherwise try anything they can to get infor- 
mation about the other player's input. In the quantum case a major point 
will also be whether the players might be trusted to not quit the protocol 
before the end. Our main model will measure the maximum information ob- 
tainable over all the rounds, not only the information obtainable at the end 
of the protocol. This corresponds to players that might quit the protocol be- 
fore its end^. The other model of nonpreemptive players will be investigated 
also, but here every function turns out to be computable almost privately 
and at the same time efficiently in the quantum case. 

Our main results are the following. We show that the quantum protocol 
for disjointness with communication complexity O(y^logn) given in [Sj can 
be adapted to have privacy loss O(log^n). We proceed to show that any 

^Actually it is quite possible that quantum one-way permutations exist, see e.g. 0. 
^Al has the habit of shooting his guests after dessert, which may be weU before the 
end of the protocoL 
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classical bounded error protocol for disjointness divulges f](-y/n/ log n) bits 
of information. Thus Al and Bob are highly motivated to use the quantum 
protocol for privacy reasons. Note also that any (even nonprivate) clas- 
sical randomized protocol for disjointness needs communication i}(n) j20j . 
Every (nonprivate) quantum protocol for disjointness needs communication 
Q{^/n), as recently established in 

We then show that the class of privately computable functions is not 
enlarged by using quantum computers, i.e., every function that can be com- 
puted privately using a quantum protocol can also be computed privately 
by a deterministic protocol. This result leads to the same characterization 
of privately computable functions as in the classical case. We furthermore 
show that allowing a small leakage combined with quantum communication 
allows to compute Boolean functions which are nonprivate. This does not 
hold for both quantum communication without leakage and classical com- 
munication with leakage. We also analyze a tradeoff between the number 
of communication rounds and the leakage required to quantum compute a 
nonprivate function. 

We then turn to the question, whether leakage can decrease the commu- 
nication complexity and show that IdMiun can be computed with leakage 
l/poly{n) and communication poly{n), while any perfectly private (quan- 
tum) protocol needs 0(2") rounds and communication. Thus a tiny leakage 
reduces the communication cost exponentially. It has been known previously 
m that one bit of privacy loss in the "hint sense" can decrease the commu- 
nication complexity exponentially, but in our result the privacy loss is much 
smaller, and the function we consider is more natural than the example in 

in- 

The paper is organized as follows. In the next section we give the nec- 
essary definitions and some technical results. Section 3 describes the result 
about an exponential decrease of privacy loss by using quantum communi- 
cation. Section 4 discusses the set of functions computable by private or 
almost private quantum protocols. Section 5 shows how allowing very small 
privacy loss can decrease communication complexity. In section 6 we give 
conclusions and some open problems. 

2 Preliminaries 

In this section we first describe the communication model we study, then the 
(quantum) information theoretic notions used, and finally discuss privacy 
definitions. For introduction to quantum computing see e.g. |29j . 

2.1 The communication complexity model 

In the quantum communication complexity model two parties Al and 
Bob hold qubits. When the game starts Al holds a superposition \x) and 
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Bob holds \y) (representing the input to the two players), and so the initial 
joint state is simply \x) ® \y). Furthermore each player has an arbitrarily 
large supply of private qubits in some fixed basis state. The two parties 
then play in rounds. Suppose it is Al's turn to play. Al can do an arbitrary 
unitary transformation on his qubits and then send one or more qubits to 
Bob. Sending qubits docs not change the overall superposition, but rather 
changes the ownership of the qubits, allowing Bob to apply his next unitary 
transformation on the newly received qubits. Al may also (partially) mea- 
sure his qubits during his turn. At the end of the protocol, one player makes 
a measurement and sends the result of the protocol to the other player. The 
overall number of message exchanges is called the number of rounds. In 
a classical probabilistic protocol the players may only exchange messages 
composed of classical bits. 

The complexity of a quantum (or classical) protocol is the number of 
qubits (respectively, bits) exchanged between the two players in the worst 
case. We say a protocol computes a function f : X x y ^ Z with e > 
error if, for any input a; G A', y G 3^, the probability that the two players 
compute f{x,y) is at least 1 — e. 

Sometimes we want to relax the above correctness requirement. We say a 
protocol V computes / with e error with respect to a distribution fj, on X xy, 
if 

Proh^x,y)eiJ-,r i'Pix, v) = fix,y)) > 1 - e. 

A randomized classical or a quantum protocol has access to a public 
coin, if the players can flip a classical coin and both read the result without 
communication. If not mentioned otherwise we do not consider this variant 
of the model. 

The communication matrix of a function f{x,y) is the matrix with rows 
labelled by the x^s, columns labelled by the y's, and containing f{x,y) at 
position x,y. 

A rectangle in the communication matrix is a submatrix indexed by the 
product of a subset of the row-labels and a subset of the column-labels. A 
rectangle is monochromatic, if all its entries are the same. 

2.2 Information theory background 

The quantum mechanical analogue of a random variable is a probability 
distribution over superpositions, also called a mixed state. For the mixed 
state X = {pi,\4>i)}, where has probability pi, the density matrix is 
defined as px = J2iPi\4'i){4'i\- Density matrices are Hermitian, positive 
semidefinite, and have trace 1. I.e., a density matrix has only real eigenvalues 
between zero and one, and they sum up to one. 

The trace norm of a matrix A is defined as || ^ ||^. = Tts/A^, which is 
equal to the sum of the magnitudes of the singular values of A. Note that 
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if /9 is a density matrix, then it has trace norm one. If (pi, (j)2 are pure states 
then: 

|||'/'l)('/'l|-|</'2)(</'2||lt = 2^l-\{<PM2)t (1) 

The fohowing important fact (the Kraus representation theorem) charac- 
terizes the physically allowed quantum operations on density matrices (trace 
preserving completely positive superoperators) in terms of adding blank 
qubits, doing unitary transformations, and tracing out (see |29)). Hence 
we can restrict our considerations to these operations. 

Fact 1 The following statements are equivalent: 

1. An operation T sending density matrices over Hi to density matrices 
over H2 is physically allowed (i.e., trace preserving and completely 
positive). 

2. There is a Hilhert space H-^ with dim{H^) < dim{Hi) and a unitary 
transformation U , such that for all density matrices p over Hi the 
result ofT applied to p is 

traCCH^^H-i [U {p ® \^H3®H2){^H'i(S,H2\)U'^]- 



So allowed operations can be simulated by adding some blank qubits, 
applying a unitary transformation and "dropping" some qubits. 

Another useful theorem states that for two mixed states pi , p2 their 
distinguishability is reflected in || /)i — /32 

Fact 2 Let pi,P2 be two density matrices on the same space 7i. Then for 
any measurement O, 



where p^ denotes the classical distribution on outcomes resulting from the 
measurement of p, and \\-\\i is the £1 norm. Furthermore, there is a mea- 
surement O, for which the above is an equality. 

The Shannon entropy H{X) of a classical random variable X and mutual 
information I[X : 1") of a pair of random variables X, Y are defined as usual 
(see e.g. (16J). 

The von Neumann entropy S{p) of a density matrix p is defined as S{p) = 
— Tr p log p = — X^i log where { Aj} is the multi-set of all the eigenvalues 
of p. Notice that the eigenvalues of a density matrix form a probability 
distribution. For properties of this function see {29| . 

We use the following fact about the continuity of entropy (see theorem 
16.3.2 in HH] and theorem 11.6 in pUj'l. 
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Fact 3 Letp, q be distributions on {0, 1}" with d = \\p—q\\i = J2x \Px—Qx\ < 
1/2. Then 

\H{p)-H{q)\ <d-n-d\ogd. 

Let /3, a be states in a 2" dimensional Hilbert space with d = \\ p — (y\\^ < 
1/e. Then 

\S{p)-S{a)\ <d-n-d\ogd. 
An immediate corollary of Jensen's inequality is the following: 

Fact 4 For X G {0, 1}" let Q<Px and Y.xVx<l <'^- Then 

-^Px'logPx < in - 7log7. 

X 

For a bipartite quantum state pxY we define the "mutual informa- 
tion" I{X : Y) as I{X : Y) = S{X) + S{Y) - S{XY) = S{px) + S{py) - 
S{pxy)i where px, Py are the reduced density matrices on the systems X, Y. 
We also define conditional mutual information I{X ■.Y\Z^ as follows: 

1{X:Y\Z) = S{XZ) + S{YZ)-S{Z)-S{XYZ). 

We will employ the following facts from j22j . 

Fact 5 (Average encoding theorem) Let x px be a quantum encod- 
ing mapping an m bit string x G {0, 1}™ into a mixed state with density 
matrix px- Let X be distributed over {0, 1}™, where x £ {0, l}*" has prob- 
ability px, let Q be the register holding the encoding of X according to this 
map, and let p = J2x PxPx ■ Then, 

J2P-\\P-P-\\t < ^J{2ln2)I{Q:X). 

X 

A purification of a mixed state with density matrix p over some Hilbert 
space Ti. is any pure state over some space TL^K, such that trace]<:\4'){(t>\ = 
P- 

Fact 6 (Local transition theorem) Let pi,p2 be two mixed states with 
support in a Hilbert space 7i, K, any Hilbert space of dimension at least dimiTL), 
and any purifications of the pi inTL^K,. Then, there is a local unitary 
transformation U on K, that maps \4>2) to |02) = I ®U\(f)2) such that 

1 

II l</'l)(0l| - |</'2)(</'2| lit ^ 2 II pi - /)2 lit • 
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2.3 Privacy 



Given a protocol a player is honest if for each input and all messages he 
receives he sends exactly the messages prescribed by the protocol. All op- 
erations are allowed as long as this requirement is met. It is e.g. allowed to 
copy a classical message to some additional storage (if it is known that the 
message is classical). Copying general unknown quantum states is, however, 
impossible j3I]. 

We state this requirement a bit more formal in the following way. In a 
quantum protocol as defined above the actions of the players are defined as 
a series of unitary transformations plus the sending of a certain choice of 
qubits. For player Al to be honest we demand that for all rounds t of the 
protocol, for all inputs x, and for all sequences of pure state messages he 
may have received in the previous rounds, the density matrix of the message 
in the next round equals the density matrix defined by the protocol and the 
input. Note that in a run of the protocol the player might actually receive 
mixed state messages, but the behavior of the player on these is defined by 
his behavior on pure state messages. 

We define the privacy loss of a protocol as follows. Let pabxy denote a 
state of the registers containing Al's private qubits in A, Bob's private qubits 
in B, Al's input in X, Bob's input in Y. We assume that the (classical) 
inputs are never erased by the players. 

For a distribution fi on the inputs to a protocol computing / the infor- 
mation divulged to Bob at time t is L{t,B,fj,) = I[B : /(AT, y)), for 
the state p^^^xY protocol at time t induced by the distribution /i on 

the inputs. Symmetrically we define Al's loss L{t, A, /x). The privacy loss of 
a protocol is the supremum of L{t, •, ^u) over all t and A, B and all fi. 

The privacy loss Ls^{f) of a function / is the infimum privacy loss over 
all quantum protocols computing / with error e. The classical privacy loss 
CLf:(f) is defined analogously, with the infimum over all classical randomized 
protocols. 

A function / is said to be private, if CL(){f) = 0. It is known that 
CL^{f) = with e < 1/2 holds only for private functions j23j . 

Note that in the above definition we have assumed that the information 
available to a player is small in all rounds. Thus even if one player decides 
to quit the protocol at some point the privacy loss is guaranteed. 

If we consider only the final state of the protocol in our definition we 
call the players honest and nonpreemptive. For a classical protocol there is 
no difference between these two possibilities, since the information available 
only increases with time. In the quantum case, however, this is not true. 

The information divulged by a nonprivate protocol can also be measured 
in a different way, namely via distinguishability, see [Tlj. Let denote 
the state of Al's and Bob's qubits in some round for inputs x, y, and let 
p^ resp. p^ denote the reduced density matrices on Al's and Bob's qubits. 
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A protocol is said to leak at most 6 to Bob, if for all x,x' and y with 
f{x,y) = f{x',y) it is true that 



xy X y 

Pb - Pb 



t 



This means that no quantum operation on Bob's qubits can distinguish 
the two states better than 6. Thus there is a limit on Bob's ability to 
distinguish Al's inputs as long as changing these does not change the output. 
An analogous definition is made for Al. We say a protocol leaks at most 6, 
if the maximum leakage to a player in any round is at most 5. 

Two more definitions of (classical) privacy loss are considered in |4j. In 
the first variant there is not one protocol which is good against all distribu- 
tions on the inputs, but for each distribution there may be one specialized 
protocol, for which the privacy loss is measured. The second definition is 
privacy loss in the hint sense, here a function h is computed privately instead 
of a function /, and f{x, y) can be computed from y). The privacy loss 
is the difference between the logs of the ranges of / and h. We generally use 
privacy loss with respect to the definition we have given first. 

Let us show that our standard definition of privacy loss and the first al- 
ternative definition mentioned above are asymptotically equivalent for ran- 
domized and quantum protocols. The following lemma is a consequence of 
the standard Yao principle (von Neumann duality), see 



Lemma 7 The following statements are equivalent in the sense that if one 
is true for some values e, 5, then the other is true with values 2e, 25. 

• There is a randomized [quantum] public coin protocol for a function f 
with communication c, error e, privacy loss 6 against all distributions 
H on inputs. 

• For every distribution /i on inputs there is a deterministic [quantum] 
protocol for f with communication c, error e, and privacy loss 6 on 
that distribution. 

Proof: The direction from randomized [quantum] to distributional de- 
terministic [quantum] protocols follows by observing that a public coin pro- 
tocol is really a probability distribution on deterministic [quantum] proto- 
cols, and for each distribution ^ on the inputs the expected error (when 
picking a deterministic [quantum] protocol) is e, and likewise the expected 
privacy loss is 6. Now due to the Markov inequality for each /i there must be 
one deterministic [quantum] protocol that has error at most 2e and privacy 
loss at most 25 simultaneously. 

For the other direction assume the second statement holds, then com- 
bine error and privacy loss into one parameter by setting para{P, ^) = 
err{P,n) ■ 6 + loss{P,fi) ■ e, where err{P,^) denotes the error of a deter- 
ministic [quantum] protocol P on /i, and loss{P, /x) the privacy loss. Note 



9 



that we are guaranteed that for each /i there is a P with para{P, /i) < 2e(5. 
Now the standard Yao principle gives us a single public coin randomized 
[quantum] protocol that has expected para{P, fj,) < 2e(5 for all fi. Such a 
protocol must have expected error at most 2e and expected privacy loss at 



Our definition of communication complexity allows no public coins, how- 
ever. If we are only interested in the privacy loss, one of the players may 
simply flip enough coins and communicate them to the other player, then 
they simulate the public coin protocol. This increases the communication, 
but none of the other parameters. 

We need another result to get rid of the public coin at a lower cost in 
randomized protocols, if the leakage resp. privacy loss is very small. First 
consider the following lemma concerning leakage, proved completely analo- 
gous to the results in [28] . 

Lemma 8 Let f : {0, 1}" x {0, 1}" TN be computable by a randomized 
[quantum] protocol with error e, that uses public classical randomness and c 
bits of communication and leaks 5. 

Then for all ■y > there is a randomized [quantum] protocol for f with 
error {l + 'y)e, leakage {1 + ^)6, and communication 0(c -|- log n -|- log(l/(^) -|- 
log(l/7) -|-log(l/e)) that uses no public coin. 

If leakage is small a bound on privacy loss is implicit. 

Lemma 9 Let f : {0, 1}" x {0, 1}" IN be computable by a randomized 
[quantum] protocol (with error but using no public randomness) that has 
leakage 5 < 1/e. 

Then the same protocol has privacy loss at most n ■ 6 — 5logS. 

Proof: First consider the case of classical protocols. Let be any 
distribution on the inputs. The distribution on the values of Bob's and 
Al's private storage A, B, when the inputs X, Y are drawn according to /i is 
denoted pabxy (at some point in the protocol). If inputs are fixed to x,y the 
resulting (normalized) distribution is denoted p^^- The leakage requirement 
states that for x, y, y' with /(x, y) = /(x, y') we have \\p^^ — p^^ ||i <b. For 
X, y with /(x, y) = z let 



most 26 for all p. 



□ 



E 



p{x,y') 




y'-f{x,y')=z 



J2a:f{x,a)=z Pi^i ") 



Then due to convexity for all x,y 



\\p7-p\U{x,y))\\,<5. 
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The continuity of entropy (factOl) and taking the expectation over x, y acord- 
ing to ^ then gives us 

E.,y[H{p\{f{x,y))) - H{pJ)] < n5 - 5\og5. 

The left hand side equals 

H{A\X, f{X, Y)) - H{A\X, Y, f{X, Y)) = I{A : Y\X, f{X, Y)). 

The leakage to Bob is analyzed in the same way. The quantum case is 
completely analogous. □ 
Now we can say something about privacy loss and private coins. 

Lemma 10 Let f : {0, 1}" x {0, 1}" Z be computable by a randomized 
[quantum] protocol with error e (using a public classical coin) and c bits of 
communication, that has privacy loss 6 > 1/2^". 

Then there is a randomized [quantum] protocol for f with error 2e, pri- 
vacy loss 0{n ■ V^), and communication 0(c + log n + log(l/(5) +log(l/e)) 
that uses no public coin. 

Proof: Consider the case of classical protocols. Given the proto- 
col, for, say, player Al, all distributions and all rounds we have I{A : 
Y\X, f{X,Y)) < 6. Denote the distribution of the values of Al's register 

for some inputs xy, let p^{z) denote the distribution in which x and 
z = f{x,y) are fixed, but y is random. Then 

EzE^,y:f(x,y)=z\\pA " 

= E.E^^.Ey^.^Wp'^y - pl{z)\\i 

< E,,,^2ln{2)I(A : Y\X = xJ{X,Y) = z) 

< ^2\n{2)E^^xI{A : Y\X = x,f{X,Y) = z) with Jensen's inequality 

< ^21n(2)(5 

with (*) due to fact|Sl where for a fixed z, x the y are coded (on the induced 
distribution) as p^ and the average code is p^{z). Hence 

Ex,y,y':f{x,y)=fix,y')\\PA " Pa 111 < 2y^21n(2)5. 

Since this holds for all distributions, the same holds for all x,y,y' with 
f{x,y) = f{x,y'), thus the protocol leaks at most 2-\/2 ln(2) • 6. 

Invoking lemma |S1 with 7 = 1 we get a protocol with the desired com- 
munication complexity and error, and leakage 0(^/6) using no public coin. 
Then an application of the previous lemma completes the proof for leakage 
at most 1/e. For larger leakage the lemma is trivial. 

The quantum case is completely analogous. □ 
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Finally, the following lemma states that independent repetitions of a ran- 
domized protocol allow to decrease the error probability with a reasonable 
increase in privacy loss. 

Lemma 11 Let P he any randomized protocol for a function f with error 
1/3, privacy loss I, and communication c. 

Then there is a randomized protocol for f with error 1/2^ , privacy loss 
0{k ■ I), and communication 0{k ■ c). 

Proof: Repeat the protocol t = 0{k) times independently. By standard 
considerations taking the majority output yields the desired error bound and 
increases the communication as desired. We now show that the privacy loss 
is also as stated. 

To see this consider the global state pABXY, where Al's storage A consists 
of yli, . . . , for the t repetitions. W.l.o.g. Ai contains a message history of 
the ith repetition of the protocol. Note that I{Ai : Aj\X = x,Y = y) = for 
all z 7^ J and all x,y, if Al plays honest, since he is forced to send messages 
as in a completely new run of the protocol for all histories of the first i 
repetitions, i.e., using fresh randomness. Then 

I{A,,...,At:Y\X = x,f{X,Y) = z) 
= H{A,,...,At\X = x,f{X,Y) = z) 

- H{A,,...,At\Y,X = x,f{X,Y) = z) 
= H{Ai,...,At\X = x,fiX,Y) = z) 

- EyHiAi,...,At\Y = y,X = x) 

for all X, z, with the expectation over y €z Y under the distribution condi- 
tioned on f{x,y) = z. And due to the subadditivity of entropy this is at 
most 

J2 H{A\X = X, f{X, Y) = z)- EyHiAu . . . , At\Y = y, X = x). 

i 

The latter term equals 

EyJ2HiAi\Y = y,X = x), 

i 

since for a fixed input x, y the random variables A^ are independent. So we 
get 

J2H{Ai\X = x,f{X,Y) = z) 

i 

- Y^^y^iMy = y,x = x) 

i 

= Yl{Ar.Y\X = x,f{X,Y) = z). 
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Hence, with I{Ai : Y\XJ{X,Y)) = E^^J{Ai : Y\X = xJ{X,Y) = z): 
I{A^,...,At:Y\X,f{X,Y)) 
< J2Ii^^■■Y\XJ{X,Y)) 

i 

= t-I{A^:Y\X,f{X,Y))- □ 

3 An exponential decrease in privacy loss 

In this section we give an example of a function that can be computed 
with an exponentially smaller privacy loss in the quantum case than in the 
classical case. This function is the disjointness problem, and the quantum 
protocol we consider is the protocol due to Buhrman, Cleve, and Wigderson 
given in 0. In fact we describe a general way to protect a certain type of 
protocols against large privacy loss. 

We now roughly sketch how the protocol works, and then how to make 
it secure. The protocol is based on a general simulation of black-box algo- 
rithms given in J= . A black-box algorithm for a function g is turned into a 
communication protocol for a function g[x f\y) for the bitwise defined oper- 
ation A. The black-box algorithm for OR is the famous search algorithm by 
Grover or rather its variant in jSj . The important feature of the protocol 
for us is that the players send a set of logn + 0(1) qubits back and forth 
and apart from that no further qubits or classical storage depending on the 
inputs are used. Also the protocol runs in O(logn) stages, each concluded 
by a measurement. If this measurement yields an index i with Xi = yi = 1, 
then the protocol stops (and rejects), else it continues. The qubits contain a 
superposition over indices i from 1 to n plus the values of Xi and Xj Ay^. So an 
honest player that does not attempt to get more information learns O(logn) 
times the measurement result for O(logn) qubits and thus an information 
of at most O(log^n). 

The main tool to show that the privacy loss is small against players 
trying to get more information is the following generalization of the famous 
no-cloning theorem [3J . While the no-cloning theorem says that we cannot 
make a perfect copy of an unknown quantum state (which would enable us 
to find out some information about the state without changing the original 
by measuring the copy), this lemma says that no transformation leaving 
two nonorthogonal originals both unchanged gives us any information about 
those states. 

Lemma 12 Let and \(j)2) be two states that are nonorthogonal. Assume 
a unitary map U sends \(pi) |0) to |0i) \a) and \(p2) |0) to |(/)2) \b). 
Then \a) = \b). 

Proof: The following simple proof has been proposed by Harumichi 
Nishimura [personal communication]. 
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Note that the inner product of and \(j)2) is unchanged when we 
append some empty qubits, and when we apply the same unitary operation 
to the states. Hence 

(02i</'i) = {(t^2mu^u\<i)im 

= {4>2mct^i)\a) = {^2\4>i)-{h\a). 

Because \4>i) and \(f)2) are nonorthogonal their inner product is nonzero and 
hence we have {h\a) = 1. Therefore, \a) = \h). □ 

Now assume a protocol sends k qubits (in a pure state) back and forth 
without using any private storage whose state depends on the input and 
without measuring (this is what happens in the protocol for DISJn during 
all O(logn) stages). If we manage to change the messages in a way so that 
for no inputs x,x',y the message sent in round t for input x,y is orthogo- 
nal to the message for input x',y, then there is no transformation for Bob 
that leaves the message unchanged, yet extracts some information. In other 
words, honest players are forced to follow the protocol without getting fur- 
ther information. The only information is revealed at the end of a stage, 
when one player is left with the qubits from the last message, resp. at the 
time when one player decides to quit the protocol. Thus at most "size of 
the communication channel" (i.e., k) information is revealed. 

We now describe how to make the messages nonorthogonal. 

Lemma 13 For alle > and for any finite set of I -dimensional unit vectors 
{vi} there is a set ofl + 1 dimensional unit vectors {f •} such that \ \vi—v^\\ < 
e, and v'^-Lvj for no i,j, where Vi denotes Vi with an appended in dimension 
l + l. 

Proof: For all vectors Vi the vector tij is / + 1 dimensional and contains 
the value in the I + 1st dimension and the same values as Vi in the other 
dimensions. Then change Vi{l + 1) to 5, and scale all other values by — 5"^ 
to obtain v[. The resulting vectors have norm {v[\v[) = (5^ + (l — (5^)- = 
1. The inner product of two vectors is {v[\v'j) = 5"^ + {1 — 5'^){vi\vj). For 
a finite set of, say k, vectors there are k'^ different values of inner products 
{vi\vj). Using 5 with —5^/(1 — J^) different from all these values and small 
enough that | |vj — f^l | < e leads to a set of vectors with the desired properties. 
□ 

We can state the upper bound for disjointness. 

Theorem 1 DISJn can he computed by a quantum protocol with error 1/3, 
communication 0{^/nlogn), and privacy loss O(log^n). 

Proof: In 9 a quantum protocol with error 1/4 and communication 
0{^/nlogn) is described, in which Al and Bob exchange pure state mes- 
sages of length logn + 0(1), but use no further storage depending on the 
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input. The protocol consists of O(logn) stages each of which ends with a 
measurement of the qubits in the standard basis. No further measurements 
are used. 

We modify the protocol. We add one more qubit to the messages. Then 
we change the first message to be sent (prepared by Al) as described in 
lemma ITHl The error introduced by this change is arbitrarily small. Then 
the protocol is used as before, ignoring the new qubit in all transformations, 
but always sending that qubit with the other qubits back and forth between 
the players. This can be done in a way ensuring that no message sent for any 
pair of inputs x,y in any round will be orthogonal to another such message. 

Assume Bob wants to get more information than he can get from the 
O(logn) classical strings of length logn + 0(1) obtained from the measure- 
ments. In some round he will first start an attack on the message. He has to 
map the message received to another message he must send back. The sec- 
ond message is the result of a fixed unitary transformation (depending on y) 
on the first. He has to combine the attack with that unitary transformation. 
So we may assume that he first attacks the message and then applies the 
transformation to get the next message. The attack transformation maps 
the message and some empty qubits to the tensor product of the same mes- 
sage and another state, that depends on the other player's input. Lemma IT^ 
ensures that this is impossible. So Bob has to stick to the protocol without 
getting more information than allowed. □ 

Now we turn to the lower bound. Every classical deterministic protocol 
partitions the communication matrix into rectangles labelled with the output 
of the protocol. Let /x be a distribution on the inputs. A labelled rectangle is 
(1 — e)-correct, if according to fj, at least 1 — e of the weight of the rectangle is 
on correctly labelled inputs. Due to Yao's lemma a randomized protocol with 
error e and communication c yields for every distribution /i a deterministic 
protocol that has error e and the same communication. Such a protocol 
induces a partition of the communication matrix into 2^^ rectangles with 
overall error e. 

The width of a rectangle A x B is min{|^|, \B\}. Let r(/) denote the 
largest width of any completely correct rectangle. Ill proves: 



Fact 14 CLoif) > (n-logr(/))/2-l /or all f : {0, 1}" x {0, 1}" ^ {0, 1}. 



We now describe a new bound. An a-rectangle is a rectangle that con- 
tains predominantly the function value o. The maximum size of a (1 — e)- 
correct a-rectangle according to fi is called s'^{f^^). Let uni denote the 
uniform distribution. 

Lemma 15 Choose a £ Z. AH randomized protocols with error 1/3 com- 
puting f : {0, 1}" X {0, 1}" Z have privacy loss 



n 



( 



uni{f ^a)) • log(l/4/^2(/,Mm)) 



0(1) 



logn 
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Proof: Given a randomized protocol with error 1/3 and privacy loss c we 
can find a protocol with privacy loss c- k and error 1/2^^^^ by repeating the 
protocol with independent coin flips k times and taking the majority output 
due to lemma ITTl 

For k = O(logn) we get a randomized protocol with privacy loss 1/2 = 
0(c log n), and error l/(2n'^). This privacy loss is guaranteed against all dis- 
tributions, and by one side of lemma[71for the uniform distribution uni there 
is a deterministic protocol that has the privacy loss /, and error 1/n^ on uni. 
The deterministic protocol corresponds to a partition of the communication 
matrix into rectangles with global error 1/n^, so 1 — 1/n^ of all inputs are in 
rectangles that are (1 — l/n^)-correct. Each (1 — l/n^)-correct a-rectangle 
has weight at most s = s^y^2(/, uni). Furthermore the total weight of inputs 
with function value a in other rectangles is at most a = 1/n^. 

After running the protocol we have a distribution on the values of Al's 
storage A and Bob's storage B. W.l.o.g. both players have stored the com- 
plete message history as a string m. Such a string is a label to a rectangle 
in the communication matrix. Call such a rectangle Um x Vm and let /i(m) 
denote the height |C/m|/2", let 6(m) denote the base |Km|/2". 1 — 1/n^ 
of all inputs are in (1 — l/ri^)-correct rectangles. Let Ma denote the set 
of (1 — l/n^)-correct a-rectangles/message sequences in which the protocol 
outputs a. Pr{m) denotes the probability of rectangle m, i.e., its size under 
the uniform distribution. 

The inputs that are not in (1 — l/n^)-correct o-rectangles but have func- 
tion value a have weight at most /3 = 1/n'^ + l/n^ < They can 
contribute at most ^ = (3n — /31og/5 = o(l) to an entropy due to fact ID 
Then 

H{Y\A, X, f{X, Y) = a) + H{X\B, Y, f{X, Y) = a) 
= J2 Pr{m)[H{Y\m, X, f{X, Y) = a) + H{X\m, Y, f{X, Y) = a)] 

m 

< 7+ H Pr(m)[log(2'^-6(m))+log(2"-/i(m))] 

< 0(1) + Pr{m)log{\Vm\-\Um\) 

m<^Ma 

< o(l)+ J2 i^r(m) log(22"s) 

< 2n + logs + o(l). 

Also, assume that uni^^(a) > l/n^, then 

H{Y\X,f{X,Y) = a) >n-41ogn-o(l), 

since in this case only 1/n^ of the weight of the distribution that is uni- 
form on inputs with f{x,y) = a can lie on rows x having less than IP' jn^ 
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columns y with f{x,y) = a. So if we pretend that all x have at least 2"/n^ 
corresponding y with f{x,y) = a, we increase the actual entropy by at most 
l/n^ - n = o(l). But this would lead to H{Y\X,f{X,Y) = a) > log(2'^/n^). 
Consequently 

uni{f-\a)) ■ H{Y\X, f{X,Y) = a) > uni{f-^{a)) • (n - 41ogn) - o(l). 

This gives us 

0(clog n) 

> I{Y : A\X, f{X, Y)) + I{X : B\Y, f{X, Y)) 

> uni{r\a)) ■ [I{Y : A\X, f{X, Y) = a) + I{X : B\Y, f{X, Y) = a)] 
= uni{r\a)) ■ [H{Y\X, f{X, Y) = a) + H{X\Y, f{X, Y) = a) 

-H{Y\A, X, f{X, Y) = a)- H{X\B, Y, f{X, Y) = a)] 

> uni{f"^{a)) ■ [2n — 81ogn — 2n — logs] — o(l) 

> nm(/"^(a)) • (— log(s)) — O(logn). 

□ 

The following is proved in |2] 

Fact 16 Let fi be the uniform distribution on pairs of sets of size y/n from a 
size n universe. Then the largest (1 — e)-correct 1-rectangle for disjointness 
(i.e., one that contains mostly disjoint pairs of sets) has size 1/2^*^^"-' for 
some constant e. 

Corollary 1 CLi/^{DISJn) = n{^/\ogn). 

4 The class of private functions 

We have seen in the previous section that certain functions can be quantum 
computed with less privacy loss against honest players than possible in the 
classical case. In this section we show that, however, the class of functions 
which can be computed privately (i.e., with privacy loss 0) is unchanged by 
allowing quantum communication, if we consider honest players (i.e., those 
who are not trusted to continue with the protocol until the end). 

4.1 Players that do not preempt 

But first let us take a look at the model of honest players, in which only the 
information retrievable at the end of the protocol is counted. 

Theorem 2 For every function f with deterministic communication com- 
plexity c there is a quantum protocol with communication 0{c^), where the 
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final state obtainable by every honest player has an arbitrarily small distance 
to the final state of a player that knows only his input and the function value 
at the end. 

Thus we get an arbitrarily close approximation of privacy against honest 
players if we consider only the information available at the end of the pro- 
tocol. In other words if we trust the other player not only to play honest, 
but also to not quit before the end of the protocol, every function can be 
computed in a secure way. 

Proof: Suppose there is a deterministic protocol for / with complexity 
c. First we turn this into a protocol, in which the players do not need to store 
anything besides the current message, i.e., they compute the new message 
from the message they received, send the message, and remember nothing 
else. For this the players simply exchange a complete message history in all 
the rounds, increasing the complexity to cP at most. Now following lemma 

we can turn this into a quantum protocol with arbitrary small error e 
and communication c^ + c, in which only pure state messages are exchanged, 
so that for no inputs x, y, y' the messages on x, y and on x, y' sent to Al (or 
Bob) in some round t are orthogonal. With lemma then an honest Al 
cannot obtain information from the message he holds without changing the 
message similarly to the proof of theorem^ thus Al has to send the message 
and is left with no information in all rounds after the message is sent. 

At the end, however a complete message history is available to one player, 
making the protocol highly nonprivate. To remove this problem consider the 
following. A clean protocol ^Sj is a protocol, in which the final state is 

\0)\x)\f{x,y)\y)\0). 

jl5j shows how to transform any quantum protocol with error e into a proto- 
col, whose final state has distance O(y^) from the final state a clean protocol 
would have. We use this transformation, which also increases the commu- 
nication complexity by a factor of 2 only and does not change the error 
(the idea is that the "garbage" produced by the computation is removed by 
"reversing" the protocol). 

Thus we get a protocol with error 0{^/e), communication O(c^), in which 
in all rounds the players exchange a certain set of qubits, about which both 
players cannot obtain additional information, since these messages are pair- 
wise nonorthogonal. In the end the state has arbitrarily small nonzero dis- 
tance to a state revealing no additional information. □ 

Due to the continuity of entropy described by fact|31both the (information- 
theoretically measured) privacy loss and the (distance measured) leakage can 
be made arbitrarily small at the end of a protocol. 
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4.2 The characterization of quantum privacy 

Now we return to our regular definition of privacy and sfiow that here quan- 
tum communication does not enlarge the set of private functions. The set 
of classically private functions has been characterized in [23] and [3]. We 
extend this characterization to the quantum case. 

Definition 1 Let M = C x D be a matrix. A relation = is defined as 
follows: rows x and x' satisfy x =' x' , if there is a column y with M^^y = 
Mx\y. Then = is the transitive closure of =' . Similar relations are defined 
for columns. 

A matrix is called forbidden, if all its rows are equivalent, all its columns 
are equivalent, and the matrix is not monochromatic. 

Theorem 3 If the communication matrix of f contains a forbidden subma- 
trix then f cannot be computed by a quantum protocol with error smaller 
than 1/2 and no privacy loss. 

Proof: A quantum protocol with error smaller than 1/2 for / must also 
solve the problem g corresponding to the forbidden submatrix. If A contains 
the row-labels and B the column labels of the forbidden submatrix then g is 
defined on A x B and g{x,y) = f{x,y). This problem g is nontrivial, since 
the submatrix is not monochromatic. Suppose a given protocol computes 
g with error smaller than 1/2 and privately. We will show that one round 
after the other can be shaved off the protocol, eventually yielding a protocol 
for g with one round. Such a protocol cannot compute g with error smaller 
than 1/2, thus we reach a contradiction. 

We show that the first message (w.l.o.g. sent by Al) does not depend on 
the input, and can thus be computed by Bob, whereupon the first round 
of communication can be skipped. Let xi,...,xi denote the rows of the 
forbidden submatrix, enumerated in such a way that Xi =' xj for some j < i 
for alH > 1. If Xi =' Xj then there is a y, so that g{xi, y) = g{xj, y). Since it 
is possible that Bob holds y, Al is not allowed to send different messages on 
Xi and Xj, since otherwise Bob may obtain information about the identity 
of Al's inputs Xi and Xj not deducible from the function value alone. So for 
all Xi the same message is sent. 

Let /O^V denote the state of Al's qubits right before the first message is 
sent (on inputs x,y), with M containing the message, p^^j is the same for 
all X, y. Also /O^^a/ purifies such a state. Due to the local transition theorem 
(fact El) Al has unitary operations acting on register A that switch between 
those states (for different x) without introducing any error. Thus Bob may 
prepare p^'^ for some fixed x, send the part of the state in A to Al and 
keep the M part. Al can then change the received state to the one for the 
correct x. Furthermore Bob can send the message for round 2 together with 
the first message, thus we get a protocol with one round less. 
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Repeating this we eventually arrive at a protocol with one round only, 
in which, say, a message is sent from Al to Bob. Thus if the error is smaller 
than 1/2 the output does not depend on y. Consequently the communication 
matrix of g consists of monochromatic rows only, and there are at least two 
different such rows, since the matrix is not monochromatic. Such a matrix is 
clearly not a forbidden submatrix, since two different monochromatic rows 
are not equivalent. Thus we arrive at a contradiction to our assumptions on 
/ or on the protocol. □ 

Now that we know a forbidden submatrix excludes a private quantum 
protocol, the other piece for a characterization is as follows, see j2S|- 

Fact 17 If the communication matrix of f contains no forbidden submatrix, 
then f can be computed by a deterministic private protocol. 

Thus the class of privately computable functions is invariant under the 
choice of quantum or classical communication. 

A function / can be computed with privacy loss k in the hint sense, if 
there is a privately computable function h, such that f{x,y) can be com- 
puted from h(x, y), and k = log{range{h)) — log{range{f)) . Since a function 
h can be computed privately deterministically, iff h can be computed pri- 
vately by a quantum protocol, we get the following. 

Corollary 2 The privacy loss of a function f in the hint sense is unchanged 
if we allow quantum protocols. 

The structure imposed on protocols by the privacy constraint is actually 
strong enough to deduce a lower bound on the number of rounds needed to 
compute a function. 

Theorem 4 Any function f computable by a private quantum protocol with 
error smaller than 1/2 and r rounds of communication can also be computed 
by a private deterministic protocol with no error using at most r rounds. 

Proof: We construct a protocol tree from the quantum protocol. This 
is a layered directed tree whose vertices are indexed with rectangles in the 
communication matrix. Rectangles ^ x i? in depth d have children Ai x B 
with disjoint Ai covering A, or children A x Bi with disjoint Bi covering B. 
In depth d either all edges lead to vertices that decompose the set of rows 
or all edges lead to vertices that decompose the set of columns. 

The root is indexed by the communication matrix M = A x B f. 
W.l.o.g. assume Al sends a message in the first round. Then the set of 
messages used by Al decomposes the set of rows into disjoint subsets. Note 
that a X = x' for two inputs x,x' to Al then these inputs share the same 
message in the first round. Recall that a message is in general a mixed 
quantum state. If Al's messages induce subsets Ai, . . . ,At of the rows, and 
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the equivalence relation = on rows (relative to M) has equivalence classes 
Ci, . . . ,Ci then each Cj C Aj for exactly one j. 

Now from the point of view of Bob all rows in some set Ai are equivalent 
when he sends his message in round 2. Hence we may as before decompose 
the columns of each rectangle Ai x B according to the messages used by 
Bob. Again any equivalence class Ci for columns (where the equivalence 
relation = is chosen relative to Ai x B) lies in exactly one subset Bj of the 
row decomposition induced by Bob's messages. 

In this manner we can inductively follow the protocol round per round 
to find a protocol tree. Note that all inputs in the rectangles attached to the 
leaves of the tree have the same acceptance probabilities, which are either all 
smaller than 1/2, or all larger than 1/2. Hence it is true that the rectangles 
attached to leaves are monochromatic. 

A protocol tree trivially induces a deterministic protocol for / using as 
many rounds as the tree is deep, while the depth of the constructed tree is 
the number of rounds of the quantum protocol. □ 

Since the deterministic protocol constructed for the previous theorem 
trivially doesn't have to communicate more than n bits in one round, its 
communication cost is at most n times higher than the number of rounds of 
the quantum protocol, which is a lower bound on the quantum communica- 
tion cost. 

Corollary 3 The communication cost of an optimal private quantum pro- 
tocol for a function f : {0, l}" x {0, 1}"" is at most a factor n smaller 
than the communication cost of an optimal private deterministic protocol for 
/• 

4.3 Boolean functions and leakage 

Next we consider the case of Boolean functions. It is known ^Ij that the 
class of private Boolean functions is the class of functions fA{x)(BfB{y), even 
if one considers protocols that leak 5 (recall that this refers to the distance 
sense of leaking) and have error e with e + 5 < 1/2. These functions are 
combinatorially characterized by the so-called "corners lemma" |14j saying 
that there is no 2 x 2 rectangle in the communication matrix containing 3 
ones and 1 zero or vice versa. As a corollary of theorem |31 we get a result 
for the quantum case with no leakage. 

Corollary 4 // the communication matrix of a function f contains a 2 x 
2 rectangle with exactly 3 times the same entry, then no private quantum 
protocol with error smaller than 1/2 can compute f. 

Corollary 5 The class of Boolean functions computable by private quantum 
protocols is the class of functions fA{x) © fsiv)- 
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Is corollary |3 also valid in the quantum case with small leakage? The 
answer is no. There are function satisfying the assumptions of the corners 
lemma which can be computed with small leakage by a quantum protocol. 

Theorem 5 There is a quantum protocol computing the AND function on 
two bits with error 1/3 that has leakage 6 and uses 0(1/(5^) communication. 

Proof: We describe a protocol in which only 6 is leaked to Bob, and 
nothing is leaked to Al. During 0(1/(5^) rounds Al prepares a superposition 
<5/2|00) + Vl- -574111) ifx = 0, and 5/2\10) + ^1 - 6'^ ifx = 1. Note 
that the trace distance between the corresponding density matrices is 5 due 
to equation (1). Thus if Bob receives such a message leakage to him is 6. 
Bob then adds a blank qubit and if y = 1 applies a unitary transformation 
that sends |000) to |000), |100) to |101), and |110) to |110). If y = he 
leaves the state unchanged. Then Bob sends the 3 qubits back to Al. Al 
and Bob repeat this 0(l/(5^) times with fresh qubits. In the end Al measures 
all triples in the standard basis. If he receives a |000) state he outputs 0, if 
he gets a |101) state he outputs 1 (and sends the result to Bob). If he has 
no such results he gives up without answer. 

Note that with probability 5^/4 Al gets one of the desired results, thus 
0{1/S'^) experiments suffice to yield a protocol with constant error. 

The leakage can be analyzed as follows. Suppose x = y = 1. In this case 
there can be no leakage, since an input and the function value give away the 
other input. 

Now suppose X = l,y = 0. In this case there can be no leakage to Al. 
The leakage to Bob is 6 given the message of a round. Due to lemma IT^ Bob 
cannot get any information out of a message without becoming dishonest, 
since no two messages are mutually orthogonal. Thus for all rounds the 
information leaked to Bob is 6. 

Suppose X = 0. Al always simply gets his message back, no matter what 
Bob's input is, so there is no leakage to Al. If y = 1 then there can be no 
leakage to Bob. Otherwise the leakage to Bob is 6 as above. □ 

The communication complexity in the above construction is within a 
polynomial of the optimum. 

Theorem 6 If the communication matrix of a function f contains a 2 x 2 
rectangle with exactly 3 times the same entry, then no quantum protocol with 
error 1/3, leakage 6, and at most 1/{12\/S) rounds can compute f. 

Proof: A protocol containing the described submatrix can easily be 
adapted to compute the Boolean AND function on input bits x, y with the 
same parameters. We show that the above stated number of rounds is 
necessary. 

Let /O^^f denote the state of the private qubits of Al in A and of the 
first message sent to Bob in M in round one when Al's input is x. Then 
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the given leakage demands that || — ||^. < 5, since it is possible that 
Bob's input is y = 0. The states pJiM ^"^^ Pam purifications of the two 
states on the message qubits. 

Due to the local transition theorem (fact ^ there is a unitary transfor- 
mation U on Al's qubits alone that maps /0%,/ to a state p^^f with 



Pam ~ Pam 



< 2V6. 



We modify the protocol by skipping the first round. Instead Bob creates 
a state /o^jvf ^y himself and sends the A part to Al together with the com- 
munication of round 2. If Al's input is 0, the protocol can continue without 
problems. If Al's input is 1, he applies the unitary transformation U, which 
leads to the state p^jvf with distance 2^/5 from p\j^^. So the error introduced 
is at most 2\/^ and the protocol runs with one round less. 

Repeating the above process for a k round protocol leads eventually to 
a protocol in which, say, Al sends one message and Bob none, so the output 
does not depend on Bob's input anymore. This can only happen when the 
error is at least 1/2, so 1/3 + (A; - 1) • 2\^ > 1/2, hence k > l/{l2Vd). □ 



5 Trading privacy loss against complexity 

In this section we show that allowing a privacy loss of much less than one 
bit (instead of privacy loss 0) can reduce the communication complexity of 
a certain function, namely the identified minimum problem, from exponen- 
tial to polynomial. Thus protocols obtaining a very close approximation of 
privacy can be much cheaper than truly private protocols. 

Theorem 7 The function IdMiun can be computed by a randomized pro- 
tocol with privacy loss 6, error 6, and communication 0{v? /5 ■ log (1/5)). 

Every quantum or randomized protocol computing IdMirin with error 
e < 1/2 and with privacy loss needs communication 17(2"). 

Proof: It is shown in [23] that any private randomized or deterministic 
protocol for IdMirin needs 2 • (2" — 1) communication rounds. With theo- 
rem ^ this implies that also quantum protocols need that many rounds. The 
communication cost is always at least as large as the number of rounds. 

For the upper bound we proceed as follows. We first show that the 
function can be computed efficiently with small leakage. Then we invoke 
lemma IHl to get the result for privacy loss. To construct a protocol with 
small leakage we describe for every probability distribution on the inputs 
a deterministic protocol that has small expected leakage (over the input 
distribution). Using Yao's lemma like in lemma[7|we get a single randomized 
protocol that has small expected leakage against all distributions, where the 
expectation is over the coins of the protocol. Such a protocol immediately 
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has small leakage in the sense of our standard definition. To remove the 
necessity of allowing public coin randomness we use lemma |H1 Then we are 
ready to guarantee also small privacy loss using lemma IHl 

The expected leakage to Al in a protocol for a distribution fi is 

TP w ^y' 1 1 

^x,y,y':f{x,y)=f{x,y')\\PA ~ Pa IU' 

for the state of the storage of Al and Bob in some round t. The expected 
leakage of the protocol is the maximum over all rounds and over Al,Bob. 

The corresponding Yao lemma is as follows, being proved completely 
analogous to lemmad Note that if a randomized protocol has for all inputs 
an expected leakage of at most C (with the expectation over its coins), then 
it has leakage C in the ordinary definition. 

Lemma 18 The following statements are equivalent in the sense that if one 
is true for some values e, (, then the other is true with values 2e, 2C. 

• There is a randomized public coin protocol for a function f with com- 
munication c, error e, and leakage C- 

• For every distribution fi on inputs there is a deterministic protocol for 
f with communication c, and error e and expected leakage ^ on fi. 

We start by describing a protocol with small expected leakage for the 
uniform distribution and then show how to adapt this protocol to an arbi- 
trary distribution. 

The protocol is defined inductively. For n = 0(1) we use the simple 
protocol with leakage 0, in which Al asks for z = 1, . . . , x — 1, whether 
z > y. If so for one z, then 2y is the result, otherwise 2rc + 1 is the result. 
The protocol needs communication 0(1). 

For larger n we do the following. Let 7 = 6/{16n). Al asks Bob for all 
Zi = \{1 +7)*] < min{x, 2"""'^} (with i £ IN), whether Zi > y. If so for 
one Zi, then 2y is the output (given by Bob). Else, when x < 2"~^, then 
2x + 1 is given as output. If this is not the case, then both players know the 
minimum is larger than 2""^, and the protocol can be invoked recursively 
for n — 1. 

First we compute the communication cost of the protocol. Obviously 
the communication before the recursion is in logx_|_.y 2" = 0(72/7) = 0{v? /5) 
rounds, each communicating at most n bits. So the recursion for the overall 
communication is C{n) = 0{n^/6) + C{n — 1). After log(l/5) recursions, 
however, the remaining pairs of inputs have weight at most 5^. So we may 
stop there, and hence the communication is at most 0{n^ /5 ■ log(l/5)). 

Next we compute the leakage and error of the protocol. Let a = (1 + 
7)* < (1 + 7)*+-^ < 2""^. Also assume that we are in an iteration, where 
the remaining input length is n (which is not necessarily the original input 
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length). If the protocol stops early, the error is at most (5^, and the leakage 
is 0. Otherwise the following holds. 

If y > X, then the protocol will neither err nor leak information. 
li a < y < X, then the protocol will err and will leak, since Bob learns 
X. This happens with probability at most 

((1 + 7)'+^ - (1 + 7)') /2" = 7(1 + 7)72" < 7/2, 

and the leakage contributed by this case is at most 2 • 7/2 = S/{16n), the 
error at most 7/2. 

If y < a, then the protocol is correct. There is, however, some leakage. 
Bob learns that x > (1 + 7)* for some i, instead of just learning that x > y. 
This corresponds to Bob knowing that x is distributed uniformly over all 
values larger than (1 + 7)* instead of Bob knowing that x is distributed 
uniformly over all values larger than y. The first distribution p is uniform 
on 2*^ — (1+7)* = 2"- — (1+7)*"^ — 7(1+7)*^^ values, the second distribution 
q is uniform on 2" — y values. The distance between p and q is at most the 
distance between p and the distribution q' in which x is uniform over all 
values larger than (1 + 7)*""^. Then q' is uniform on 2" — (1 + 7)*"^ points. 
Since (1 + 7)*"^ < 2"/2, the distance is at most 27 and the probability of 
this event is at most 1/2, so the leakage contributed by this case is at most 
7 = S/{16n). 

Thus the overall leakage is smaller than 6/{8n), and the error 7/2 + (5^ < 
S/A. 

After describing the protocol for the uniform distribution we now turn 
to protocols for arbitrary distributions fi. Since Al plays the role of an 
interrogator in the above protocol, while Bob only answers, let x be an 
arbitrary input for Al and Hx the induced distribution on Bob's inputs. 
Note that this distribution is known to Al. 

Let ri be the least integer satisfying X][Li Ma;(0 > ^2"' for Z = 1, . . . , 2". 
The protocol proceeds as in the protocol for the uniform distribution, but 
Al queries r; instead of I all the time, i.e., for I = (1 + 'jY < min{x, r2n-i}. 

The communication complexity of the protocol is still 0{n^/S-log{l/S)). 

Let a = < x < Vf^i^^y+i. 

If y > X, then the protocol will neither err nor leak information. 

If a < y < X, then the protocol will err and will leak information. The 
probability that this happens is at most (1 + 7)'+V2'' - (1 + 7)72" < 
7 ^^^3^ < 7/2, and the leakage in this case is at most 7, the error at most 
7/2. 

If y < a, then the protocol is correct, but again there is leakage. Bob 
gets to know that x > a instead of just knowing x > y, i.e., the (normalized) 
distribution on values larger than y against the (normalized) distribution on 
values larger a. The distance between these two distributions is at most 27. 
Thus the contribution to the expected leakage is at most 7. 
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The expected leakage of all cases together is at most 6/{8n). 

So we get for every distribution a deterministic protocol with error 5/4 
and expected leakage 6/{8n). Then lemma ITSl gives us a single public coin 
randomized protocol with leakage 5/(4n). The communication complexity 
is 0(n^/5), the error is at most 6/2. 

Applying lemma|Hlgives us a protocol with leakage 6/{2n), error 6, com- 
munication 0{n^/6) using no public coin. Then we can use lemma IHl to see 
that the protocol actually has privacy loss at most 5. □ 

6 Conclusions and open problems 

In this paper we have discussed privacy with respect to honest players with 
a focus on the themes quantum communication and protocols with (small) 
privacy loss or leakage. We have given an example of a function that can be 
computed with exponentially smaller privacy loss using quantum communi- 
cation than in the case of classical communication. The set of functions with 
privacy loss is, however, not enlarged by quantum communication. For 
Boolean functions we were able to give a simple characterization of the quan- 
tum private functions as /a^x) ® fsiu)- It is known \A that allowing small 
leakage (leakage 5 and error e with e + 5 < 1/2) for classical communication 
does not allow to compute more functions. In the quantum case, however, 
leakage allows to compute the AND function (with a tradeoff between the 
number of rounds and the leakage) . 

The characterization for Boolean functions can be extended to the case 
of multiparty private computation. As in ^Ij it can be shown that only 
functions of the form fi{xi) © • • • © fk{xk) can be quantum computed in a 
way so that every set of \k/2'] players learns nothing more about the other 
players' inputs than what is deducible from their inputs and the output 
alone. Since every function can be computed classically so that no coalition 
of less than k/2 players learns more than allowed [ZlEI; and the aforemen- 
tioned functions are private against coalitions of even k — 1 players, there 
are only 2 levels in this hierarchy of privacy for quantum computation, as in 
the classical case, see ^1]. Note that more such levels exist for non-Boolean 
functions [T3] . 

We now give some open problems. A more realistic type of player is 
an adversary that has two objectives: with highest priority he wants the 
output to be correct with large probability. But then he also wants to learn 
as much as possible under this constraint. As an illustration of the power 
of this kind of player consider a technique from a proof for a lower bound 
on the quantum communication complexity of the inner product function 
in Given any clean (for simplicity assume errorless) protocol for the 

inner product function, one player may take a uniform superposition over 
all possible inputs instead of his real input and use that protocol. Applying 



26 



a Hadamard transform to his (fake) input register after the protocol has 
stopped supplies the player with the other player's input. So he is able to 
compute the function value and learn maximal information at the same time 
given any clean protocol. Note that the player is not even approximately 
honest, though. 

A restricted form of this hard to analyze type of player is an almost 
honest player that roughly follows the protocol, but only sends messages that 
are in distance e from the "correct" messages. This allows in the quantum 
case e.g. to use approximate cloning as in jTD], or generally the following 
type of attack: the player uses the protocol with some probability e for 
a fake input. Then he learns some information he should not know with 
probability e. If we measure the divulged information in the information 
theoretic sense there are private functions, e.g. IdMiUn, for which such a 
player can obtain en bits of information while being approximately honest. 

A study of privacy with approximately honest players would be inter- 
esting. In particular, can the quantum protocol for disjointness be made 
secure against them? The set of private Boolean functions is robust against 
such players, since they are of the form /^(a^) © fB{y)- About non-Boolean 
functions no results seem to be known even in the classical case. 

Another open problem is the following: can we extend the character- 
ization of (non-Boolean) classically private functions for the case of small 
leakage, or does small leakage make some (non-Boolean) nonprivate func- 
tions computable in the classical case? 

Finally, how can one prove lower bounds on the privacy loss of quantum 
protocols? Since the privacy loss is always smaller than the communication 
complexity, this is different from proving lower bounds for quantum com- 
munication complexity as e.g. in [21\ I.SDj . We have shown that the quantum 
privacy loss of the disjointness problem is only 0(log^ n), while the quantum 
communication complexity of disjointness is ^}{^/n) (30) . 
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